系統環境:centos6.3
puppet: puppet-2.7.13
facter: facter-1.6.5
ruby: yum源
注:
facter用來獲取客戶端系統信息(如hostname,ip,OS-Version,fqdn等)
ruby是puppet的開發環境
puppet server: 192.168.7.196
puppet client: 192.168.7.197
(server)為僅服務器端配置
(client)為僅客戶器端配置
(server,client)為服務器端與客戶端配置
一.配置環境(server,client):
1.關閉iptables和selinux(server,client)
# service iptables stop
# setenforce 0
# vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
2.安裝ruby開發環境(centos6.3默認更新源)(server,client)
# yum -y install ruby*
3.計劃同步時間:(server,client)
每5分鐘同步一次時間
# crontab -e
-------------
*/5 * * * * /usr/sbin/ntpdate -u asia.pool.ntp.org
-------------
# service crond restart
# chkconfig crond on
4.修改服務器及客戶端HOST及主機名:
(server,client)
# vi /etc/hosts
-------------------
192.168.7.196 server.example.com server
192.168.7.197 client.example.com client
-------------------
(server)
# vi /etc/sysconfig/network
----------------
HOSTNAME=server.example.com
----------------
(client)
# vi /etc/sysconfig/network
----------------
HOSTNAME=client.example.com
----------------
二.安裝應用軟件(server,client):
(server):
1.安裝facter:
# wget http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz
# tar zxvf facter-1.6.5.tar.gz
# cd facter-1.6.5
# ruby install.rb
2.安裝puppet:
# wget http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz
# tar zxvf puppet-2.6.13.tar.gz
# cd puppet-2.6.13
# ruby install.rb
# cp conf/auth.conf /etc/puppet/
# cp conf/redhat/fileserver.conf /etc/puppet/
# cp conf/redhat/puppet.conf /etc/puppet/
# mkdir -p /etc/puppet/manifests
設置開機啟動腳本:
# cp conf/redhat/server.init /etc/init.d/puppetmaster
# chmod +x /etc/init.d/puppetmaster
# chkconfig --add puppetmaster
# chkconfig puppetmaster on
生成pupput用戶:
# puppetmasterd --mkusers
啟動puppetmaster服務(端口:8140):
# service puppetmaster start
(client):
1.安裝facter:
# wget http://downloads.puppetlabs.com/facter/facter-1.6.5.tar.gz
# tar zxvf facter-1.6.5.tar.gz
# cd facter-1.6.5
# ruby install.rb
2.安裝puppet:
# wget http://downloads.puppetlabs.com/puppet/puppet-2.6.13.tar.gz
# tar zxvf puppet-2.6.13.tar.gz
# cd puppet-2.6.13
# ruby install.rb
# cp conf/auth.conf /etc/puppet/
# cp conf/namespaceauth.conf /etc/puppet/
# cp conf/redhat/puppet.conf /etc/puppet/
設置開機啟動腳本:
# cp conf/redhat/client.init /etc/init.d/puppet
# chmod +x /etc/init.d/puppet
# chkconfig --add puppet
# chkconfig puppet on
# vi /etc/puppet/puppet.conf
在[agent]條目下添加以下內容:
-------
Listen = true
Server = server.example.com
--------
# vi /etc/puppet/namespaceauth.conf
修改成以下內容:
---------
[fileserver]
allow *
[puppetmaster]
allow *
[puppetrunner]
allow *
[puppetbucket]
allow *
[puppetreports]
allow *
[resource]
allow *
---------
生成pupput用戶:
# puppetmasterd --mkusers
啟動puppet服務(端口:8140):
# /etc/init.d/puppet start
至此安裝完畢,現在需要配置客戶端與服務器端的認證連接,從而將服務器端的配置的內容分發到各個客 戶端,實現集中配置管理。
三.認證並分發:
(client):
客戶端發送請求
# puppetd --test --server server.example.com
報錯:
--------------------
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
--------------------
解決方法:
這可能是換了不同的兩台puppetmaster服務器引起的。解決方法,刪除現有ssl證書。
# find /var/lib/puppet -type f -print0 |xargs -0r rm
重新發送請求:
# puppetd --test --server server.example.com
-------------------
info: Creating a new SSL key for client.example.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for client.example.com
info: Certificate Request fingerprint (md5):
32:E8:CD:32:BF:62:86:64:B3:98:A4:EB:8A:71:D2:99
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
-------------------
發送成功。
(server):
服務器端查看是否有請求證書的客戶端服務器
# puppetca --list
------------------
client.example.com (32:E8:CD:32:BF:62:86:64:B3:98:A4:EB:8A:71:D2:99)
------------------
收到客戶端認證信息
服務器端對client.example.com簽名
# puppetca -s client.example.com
或對所有客戶端全部簽名
# puppetca -s -a
查看驗證簽名,注意前面的+號,說明已經簽名
# puppetca -a --list
---------------------
+ client.example.com (19:6F:4C:84:B1:69:16:3C:A1:38:C2:2E:6F:B6:67:12)
---------------------
md5驗證服務器端收到的證書是否正確
(server):
# md5sum /var/lib/puppet/ssl/ca/signed/client.example.com.pem
---------------------
1ebfd47775ec8f3e2ae112d75ccba132 /var/lib/puppet/ssl/ca/signed/client.example.com.pem
---------------------
(client):
# md5sum /var/lib/puppet/ssl/certs/client.example.com.pem
---------------------
1ebfd47775ec8f3e2ae112d75ccba132 /var/lib/puppet/ssl/certs/client.example.com.pem
---------------------
MD5值相同,說明我們的puppetmaster和客戶端的puppet已經成功建立通信
注:出現修改主機名問題引起無法認證,需要重新申請證書,操作可以按照如下兩個步驟:
(server):
# rm -rf /var/lib/puppet/ssl/ca/signed/*.pem // "*.pem"為修改過主機名的證書
(client):
# rm -rf /var/lib/puppet/ssl/
配置完畢,開始驗證分發效果:
(server):
修改server端配置文件:
# vi /etc/puppet/manifests/site.pp
-----------------
node default{
file { "/tmp/test":
content=> "this is a test file";
}
}
-----------------
重啟puppetmaster,更新配置文件信息。
# service puppetmaster restart
(client):
重啟puppet(可不用重啟)
# service puppet restart
同步文件:
# puppetd --server server.example.com --test
------------------
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for client.example.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client.example.com
info: Applying configuration version '1369124449'
notice: /Stage[main]//Node[default]/File[/tmp/test]/ensure: defined content as '{md5} 100b144907af2a4786003758a0a6a563'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.02 seconds
------------------
查看/tmp/test文件及文件內容
# cat /tmp/test
-----------
this is a test file
-----------
完成。
